Skip to content
AIエージェント

A Control Plane Is Not an Agent Framework: The Distinction Enterprises Keep Missing

An agent framework makes agents run. A control plane governs what they're allowed to do. Here's the architectural line platform teams keep missing, and why you need both.

Zof Reliability Team · エンジニアリング & プロダクト

2025年10月14日 · 読了時間 8 分 · 2025年10月14日 更新

Share
01

Two systems that get sold as one

An agent framework answers a runtime question: how do agents execute? It handles the mechanics of getting work done. A control plane answers a governance question: what is each agent permitted to do, under what policy, with what proof? These map to genuinely different concerns.

ConcernAgent framework (orchestration)Control plane (governance)
Core questionHow do agents run?What are agents allowed to do?
Primary objectsTools, prompts, memory, planning loops, retriesPolicy, authority, approval, audit, evidence
Failure it preventsThe agent gets stuck or can't actThe agent acts when it shouldn't
OutputA completed taskA governed, attributable action
OwnerApplication / ML teamPlatform, security, compliance

The reason this matters: orchestration optimizes for capability, and capability without constraint is exactly the risk profile a serious enterprise is trying to avoid. The framework's whole job is to remove friction between intent and action. The control plane's job is to put the *right* friction back, at the points where it counts, and nowhere else.

You can buy or build the framework. Many teams already have one, sometimes several. What almost nobody has by default is the layer that decides whether a given action should execute against production, who authorized it, and whether you can later prove the whole thing was safe. Zof ships both, with Agent Framework handling execution and Governance handling authority, but the two are deliberately separate primitives, because collapsing them is the mistake.

02

Why orchestration alone fails in production

A framework that only makes agents capable runs into the same wall every time autonomy meets a real system. The wall has three structural cracks.

It has no model of what a change touches. An orchestration loop knows the tools it can call. It does not know that the service it is about to restart sits on the request path for checkout, or that the dependency it is bumping fans out to forty consumers. Without a live map of the system, "act" is a blind operation. The agent is reasoning over a stale mental model, the same way a new engineer would on their first day, except faster and with more authority.

It treats "the task ran" as success. Orchestration declares victory when the plan completes. But a completed plan is not a safe outcome. Roughly 41% of codebases are now AI-generated, and industry research puts the rate at which AI coding tasks introduce a critical flaw or security issue near 45%. An agent that confidently completes a task is, a meaningful fraction of the time, confidently shipping a defect. Capability is not correctness.

It has no answer for the audit. When the change goes wrong, the questions are governance questions: what was proposed, what was authorized, who authorized it, what actually executed, and how do we know it was verified? A framework's logs tell you the agent *tried* something. They rarely constitute defensible evidence that the action was permitted and proven. The cost of poor software quality, estimated at $2.41 trillion, is in large part the bill for systems that could act but could not account for their actions.

This is why "we wired up an agent" so often becomes "we wired up an agent and then turned off its write access." Teams discover that pure orchestration gives them a capable system they cannot trust, so they neuter it back into a suggestion engine. That is not governed autonomy. It is autonomy abandoned because the governing layer was never built.

03

What the control plane adds, mechanically

Governance is not a policy document or a Slack approval step bolted onto a framework. It is a set of architectural primitives the orchestration layer cannot supply on its own.

  • A change-aware model of the system. You cannot govern what you cannot reason about. A live System Graph maps services, dependencies, and CI/CD so every proposed action is evaluated against current reality, not a diagram from last quarter. This is what lets the control plane compute blast radius before anything executes.
  • Validation as a gate, not a report. Testing Fleets plan, execute, and maintain validation that is aware of what changed, producing a verdict the control plane can act on, rather than a coverage number that rots as the system evolves.
  • Authority that lives outside the agent. The governing principle is agents propose, humans authorize. The agent can assemble the change, run validation, and stage a fix. It does not get to authorize its own dangerous actions. Policy and approval are first-class, configurable, and external to the orchestration loop.
  • Evidence as a primary output. Every governed action emits an audit-ready record of proposal, authorization, execution, and verification. For work that runs inside a customer boundary, Edge Runners execute as signed capsules and emit that evidence from inside the enclave, where it survives a compliance review instead of living in an editable log.

The sharpest place this shows is remediation. Autonomous fixing is the most consequential thing an agent can do, which is exactly why it must be the most governed. Remediation Fleets propose scoped fixes; governance decides whether and how they execute. Unsupervised autonomous fixing against production is reckless. The governance, policy, approval, audit, is the engineering.

04

You need both, wired in the right order

This is not an argument that frameworks are bad and control planes are good. It is an argument that they are different layers and that the control plane has to sit *above* the orchestration layer, not inside it. The orchestration generates intent and capability. The control plane decides what intent is permitted to become action.

Walk a hypothetical. Consider a B2B SaaS platform team whose agent detects a memory leak in a billing service and drafts a fix.

  • Orchestration plans the fix, writes the patch, and prepares the deploy. This is the framework doing its job.
  • Governance intercepts before execution. The System Graph flags that billing is a revenue-path, regulated-data node. Testing Fleets validate the affected surfaces and confirm the leak is resolved without adjacent regressions. Policy routes the change for human authorization because of where it lands.
  • Verification confirms the result and attaches evidence.

The agent did real, capable work. A human held authority at the one decision that genuinely warranted it, and the org has proof. That ordering, capability gated by authority gated by evidence, is the whole point. Reachability-based prioritization, which can mean 70 to 90% less exploitable exposure, lives in this layer too: the control plane spends human attention on what is actually reachable, not on a flat list of everything the agent could touch.

05

What to do Monday morning

You probably already have orchestration. The gap is almost always on the governance side. Find it deliberately.

  1. Trace one agent action end to end. For a single autonomous action, ask: where is the authority check, where is the evidence, and where is the blast-radius reasoning? If any answer is "in the logs" or "the engineer eyeballs it," that is your missing layer.
  2. Separate capability from permission in writing. List what your agents *can* do versus what they are *allowed* to do without a human. The gap between those two lists is your governance backlog.
  3. Govern one high-stakes surface, automate one safe one. Pick a revenue or regulated path and require authorization plus evidence. Pick a low-criticality path and let it run governed and unattended. Both are governed autonomy.
  4. Demand an audit record from one workflow. Require that a single agent-driven change produce a defensible trail, not a transcript.

For the deeper case on why capable agents need this now, the AI code testing imperative makes the argument, and how it works shows the loop end to end.

06

The bottom line

続きを読む

01Zof Console

姿勢、操作、次に注意が必要なことを 1 つの面で確認できます。

エンジニアリング、QA、SREの各チームが毎日開く認証済みのホーム。品質の姿勢、進行中の実行、モジュールごとのカバレッジ、そして次に注目すべきことが分かります。

運用上の KPI

実行数、カバレッジ、リスク

出荷先のあらゆる環境に対応します。

ワークスパイン

仕様・テスト・スケジュール

仕様から計画された回帰まで。

ガードレール

RBAC・SSO・監査

指定された人間に起因するすべての行為。

LIVE/console
Zof AI ホーム コマンド センターには、94% パスでの 12 件の実行、3 つの未解決の重大な問題、84% のカバレッジ、4 つのモジュール トレーサビリティ バー、仕様パイプライン、今後のスケジュール、アクティブ実行サイドバー付きの推奨される次のアクションが表示されます。
ホーム ビュー · チェックアウト サービス · ステージング · 製品からライブでキャプチャ。
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

A Control Plane Is Not an Agent Framework: The Distinction Enterprises